Refreshing an access token

According to the spec “The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token. The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client.”

It appears that in my Okta tenant, I am NOT getting back a new refresh token when I use the refresh_token grant type to get a new access token from the /token endpoint. Is this the default behavior of Okta? Is it configurable somewhere in the admin portal?

Hi @cat,

The key word in the spec is “MAY”. It’s not a “MUST”.
Okta doesn’t generate a new refresh token each time the /token endpoint is called.
The default and only behavior currently is to use the same refresh token until it expires.

@vijet Sounds good, thank you for clarifying! I think that should be called out in the documentation :wink:

1 Like

Thank you for pointing it out. We will update the documentation :slight_smile:

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.